Gradient Inversion Attacks on Parameter-Efficient Fine-Tuning

• URL: http://arxiv.org/abs/2506.04453v1
• Date: Wed, 04 Jun 2025 21:14:21 GMT
• Title: Gradient Inversion Attacks on Parameter-Efficient Fine-Tuning
• Authors: Hasin Us Sami, Swapneel Sen, Amit K. Roy-Chowdhury, Srikanth V. Krishnamurthy, Basak Guler,
• Abstract summary: Federated learning (FL) allows multiple data-owners to collaboratively train machine learning models by exchanging local gradients.<n>Recently, parameter-efficient fine-tuning (PEFT) of large-scale pretrained models has gained substantial attention in FL.<n>We investigate how the privacy of the fine-tuning data of the users can be compromised via a malicious design of the pretrained model and trainable adapter modules.
• Score: 25.434223317282274
• License: http://creativecommons.org/licenses/by-nc-sa/4.0/
• Abstract: Federated learning (FL) allows multiple data-owners to collaboratively train machine learning models by exchanging local gradients, while keeping their private data on-device. To simultaneously enhance privacy and training efficiency, recently parameter-efficient fine-tuning (PEFT) of large-scale pretrained models has gained substantial attention in FL. While keeping a pretrained (backbone) model frozen, each user fine-tunes only a few lightweight modules to be used in conjunction, to fit specific downstream applications. Accordingly, only the gradients with respect to these lightweight modules are shared with the server. In this work, we investigate how the privacy of the fine-tuning data of the users can be compromised via a malicious design of the pretrained model and trainable adapter modules. We demonstrate gradient inversion attacks on a popular PEFT mechanism, the adapter, which allow an attacker to reconstruct local data samples of a target user, using only the accessible adapter gradients. Via extensive experiments, we demonstrate that a large batch of fine-tuning images can be retrieved with high fidelity. Our attack highlights the need for privacy-preserving mechanisms for PEFT, while opening up several future directions. Our code is available at https://github.com/info-ucr/PEFTLeak.

Related papers

• CENSOR: Defense Against Gradient Inversion via Orthogonal Subspace Bayesian Sampling [63.07948989346385]
  Federated learning collaboratively trains a neural network on a global server.<n>Each local client receives the current global model weights and sends back parameter updates (gradients) based on its local private data.<n>Existing gradient inversion attacks can exploit this vulnerability to recover private training instances from a client's gradient vectors.<n>We present a novel defense tailored for large neural network models.
  arXiv  Detail & Related papers  (2025-01-27T01:06:23Z)
• Partial Federated Learning [26.357723187375665]
  Federated Learning (FL) is a popular algorithm to train machine learning models on user data constrained to edge devices. We propose a new algorithm called Partial Federated Learning (PartialFL), where a machine learning model is trained using data where a subset of data modalities can be made available to the server.
  arXiv  Detail & Related papers  (2024-03-03T21:04:36Z)
• Understanding Deep Gradient Leakage via Inversion Influence Functions [53.1839233598743]
  Deep Gradient Leakage (DGL) is a highly effective attack that recovers private training images from gradient vectors. We propose a novel Inversion Influence Function (I$2$F) that establishes a closed-form connection between the recovered images and the private gradients. We empirically demonstrate that I$2$F effectively approximated the DGL generally on different model architectures, datasets, attack implementations, and perturbation-based defenses.
  arXiv  Detail & Related papers  (2023-09-22T17:26:24Z)
• Evaluating Privacy Leakage in Split Learning [8.841387955312669]
  On-device machine learning allows us to avoid sharing raw data with a third-party server during inference. Split Learning (SL) is a promising approach that can overcome limitations. In SL, a large machine learning model is divided into two parts, with the bigger part residing on the server side and a smaller part executing on-device.
  arXiv  Detail & Related papers  (2023-05-22T13:00:07Z)
• BAFFLE: A Baseline of Backpropagation-Free Federated Learning [71.09425114547055]
  Federated learning (FL) is a general principle for decentralized clients to train a server model collectively without sharing local data. We develop backpropagation-free federated learning, dubbed BAFFLE, in which backpropagation is replaced by multiple forward processes to estimate gradients. BAFFLE is 1) memory-efficient and easily fits uploading bandwidth; 2) compatible with inference-only hardware optimization and model quantization or pruning; and 3) well-suited to trusted execution environments.
  arXiv  Detail & Related papers  (2023-01-28T13:34:36Z)
• Shielding Federated Learning Systems against Inference Attacks with ARM TrustZone [0.0]
  Federated Learning (FL) opens new perspectives for training machine learning models while keeping personal data on the users premises. The long list of inference attacks that leak private data from gradients, published in the recent years, have emphasized the need of devising effective protection mechanisms. We present GradSec, a solution that allows protecting in a TEE only sensitive layers of a machine learning model.
  arXiv  Detail & Related papers  (2022-08-11T15:53:07Z)
• Acceleration of Federated Learning with Alleviated Forgetting in Local Training [61.231021417674235]
  Federated learning (FL) enables distributed optimization of machine learning models while protecting privacy. We propose FedReg, an algorithm to accelerate FL with alleviated knowledge forgetting in the local training stage. Our experiments demonstrate that FedReg not only significantly improves the convergence rate of FL, especially when the neural network architecture is deep.
  arXiv  Detail & Related papers  (2022-03-05T02:31:32Z)
• Do Gradient Inversion Attacks Make Federated Learning Unsafe? [70.0231254112197]
  Federated learning (FL) allows the collaborative training of AI models without needing to share raw data. Recent works on the inversion of deep neural networks from model gradients raised concerns about the security of FL in preventing the leakage of training data. In this work, we show that these attacks presented in the literature are impractical in real FL use-cases and provide a new baseline attack.
  arXiv  Detail & Related papers  (2022-02-14T18:33:12Z)
• Fishing for User Data in Large-Batch Federated Learning via Gradient Magnification [65.33308059737506]
  Federated learning (FL) has rapidly risen in popularity due to its promise of privacy and efficiency. Previous works have exposed privacy vulnerabilities in the FL pipeline by recovering user data from gradient updates. We introduce a new strategy that dramatically elevates existing attacks to operate on batches of arbitrarily large size.
  arXiv  Detail & Related papers  (2022-02-01T17:26:11Z)
• When the Curious Abandon Honesty: Federated Learning Is Not Private [36.95590214441999]
  In federated learning (FL), data does not leave personal devices when they are jointly training a machine learning model. We show a novel data reconstruction attack which allows an active and dishonest central party to efficiently extract user data from the received gradients.
  arXiv  Detail & Related papers  (2021-12-06T10:37:03Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.